lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 15 Sep 2011 17:48:21 -0500
From:	"Greg Scott" <GregScott@...rasupport.com>
To:	<netdev@...r.kernel.org>
Cc:	"Graham Parenteau" <adfgrahame1@...il.com>
Subject: Very confused about broute DROP

I don't get this.  Why does:

ebtables -t broute -A BROUTING -j DROP

completely knock a Linux host offline?

This is what the man page for ebtables says:

The targets DROP and ACCEPT have a special meaning in the broute table
(these names are used instead of more descriptive  names  to  keep the
implementation  generic).   DROP  actually means the frame has to be
routed, while ACCEPT means the frame has to be bridged. The BROUTING
chain is traversed very early. However, it is  only  traversed  by
frames  entering  on  a bridge port that is in forwarding state.
Normally those frames would be bridged, but you can decide otherwise
here. The redirect target is very handy here.

So based on the above paragraph, I should be able to do something like
this:

# Here is what to bridge
ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP1 -j
ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP2 -j
ACCEPT

# Route everything else
ebtables -t broute -A BROUTING -j DROP

So I tried above and knocked that box completely offline.  I'm missing
something.

Here is what the paragraph about redirect in the ebtables man pages
says: 

The  redirect target will change the MAC target address to that of the
bridge device the frame arrived on. This target can only be used in the
BROUTING chain of the broute table and the PREROUTING chain of  the  nat
table.  In  the  BROUTING  chain,  the MAC address of the bridge port is
used as destination address, in the PREROUTING chain, the MAC address of
the bridge is used.

OK - so this target MAC address - is this the MAC Address of an ethnn
port that's part of the bridge, or the MAC Address of another node?  I
was thinking it was the MAC Address of another node, but maybe it's just
the MAC Address of a port on this bridge?  

And there are some examples here:
http://ebtables.sourceforge.net/examples/basic.html#ex_redirect

that I really don't get.  So instead of trial and error guessing, I
figured I would ask.  

If anyone can help me understand this, I'll take a stab at writing it up
as clearly as I know how for use in future versions of man pages.  

Thanks

- Greg Scott
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists